Security vendor claims it was Microsoft's own code that created the thousands of bogus entries in Window's registry

Symantec on Thursday said it was Microsoft's code that crippled some PCs after upgrades to Windows XP Service Pack 3 (SP3) emptied Device Manager, deleted network connections, and packed the registry with thousands of bogus entries.

"We finally got to the bottom of this last night," said Dave Cole, Symantec's senior director for product management of its consumer software. "All of these problems are related to the same thing, a Microsoft file that created all the garbage entries [in the registry]."

He also said that some of the same symptoms had been acknowledged by Microsoft when users updated to Windows XP SP2 several years ago; Cole referenced a pair of Microsoft support documents to back up his claim.

Two weeks ago, after Microsoft launched Windows XP SP3 on Windows Update, users started reporting that their network cards and previously crafted connections had mysteriously vanished from Windows after updating with the service pack. The Device Manager had been emptied, they said, and Windows' registry, a directory that stores settings and other critical information, had been packed with large numbers of bogus entries.

Most users who posted messages on Microsoft's XP SP3 support forum said that the errant registry keys -- which started with characters such as "$%&" and appeared corrupted at first glance -- were located in sections devoted to settings for Symantec products. Not surprisingly, they quickly pinned blame on the security company.

Earlier this week, Symantec denied that its software was at fault, and instead pointed a finger at Microsoft.

Thursday, Cole said Symantec engineers had connected the current problem to a Microsoft file named "fixccs.exe." According to information on the Web, fixccs.exe stands for "Fix CCS MaxSubkeyName mismatch," and appears to be part of both XP SP3's and SP2's update packages.

Cole wasn't sure exactly what function fixccs.exe served. "But it caused similar problems with the Device Manager after SP2. It looks like it's reared its head again."

Two Microsoft support documents -- KB893249 and KB914450 -- both describe a problem remarkably similar to what users have reported recently. "After you install Windows XP Service Pack 2 (SP2) on a Windows XP-based computer, the Device Manager window is blank or some devices no longer appear," reads KB893249.

The fixccs.exe file attempts to make changes to the registry, said Cole, but in some cases also adds large numbers of unnecessary keys. When asked why so many users had reported seeing the errant entries in sections reserved for Symantec products, Cole called it "the luck of the draw. We have a fair number of keys in the registry, and we're on a lot of systems. This is not exclusive to Symantec."

Others have noted that too. A user identified as MRFREEZE61, who posted the first message on the Microsoft support forum thread two weeks ago, and later came up with a workaround, said as much today.

"The reported problems are not just limited to those using Symantec products," wrote MRFREEZE61 in a comment added to the original Computerworld story. "Folks on the forum report this specific registry corruption with no Symantec products installed at all. Some find this corruption in device control set enumerators associated with UPNP (Universal Plug and Play) and other 'legacy devices,' others from users of Avast [Antivirus]."

Fixccs.exe has also been linked to problems some users had installing early builds of XP SP3 late last year. In a support forum thread that started Dec. 22, 2007, Shashank Bansal, a Microsoft engineer helping users troubleshoot XP SP3 installation bugs, said: "This is a serious problem for us and we would like to investigate it to further depths. We would need help from all users on this forum for the same." Bansal then asked users who had had trouble updating from XP SP2 to SP3 to identify the process that had hung or had hogged CPU cycles. "Look out for cscipt.exe or fixccs.exe," he asked.

On Thursday, Cole said Symantec was working on a standalone tool that would delete the extraneous registry entries. "We hope to have it ready pretty quickly," he said. "We're working with Microsoft in the normal channels."

That word must not have trickled down to Microsoft's technical support representatives. Users who have posted to Symantec's support forum and others who have e-mailed Computerworld claim that they have been told by Microsoft support that the fault is all or partially Symantec's.

A user going by "ZLevee" copied messages received from Microsoft support to a Thursday post on the Symantec support site. "Based on the current research, the issue can probably be caused by the conflicts between SP3 and Norton. Please let me know if you have any Norton product installed.," ZLevee said the Microsoft support representative had claimed.

A Computerworld reader e-mailed an account of his experience last week with Microsoft's support. "I had an online chat with a tech support person named 'Obaid' on 5/18," said Thom Nielsen in the e-mail. "He told me that Symantec products do NOT work with XP SP3. He told me Symantec is aware of the problem(s) & is working on it."

"This is the first I've heard of this," said Cole when asked to comment. "I hope we can clear up any confusion."

When asked earlier Thursday whether it had uncovered any more information about the disappearing Device Manager and the corrupted registry entries, Microsoft said it nothing new to add beyond the recommendation it made Tuesday: that users contact the company's technical support desk if they have had problems upgrading to XP SP3.